CVE-2024-49394
Publication date 12 November 2024
Last updated 16 December 2024
Ubuntu priority
In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.
Read the notes from the security team
Why is this CVE low priority?
This is a longstanding limitation of PGP-encrypted mail and is an enhancement rather than an actual vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mutt | 24.10 oracular | Ignored no fix planned |
| 24.04 LTS noble | Ignored no fix planned | |
| 22.04 LTS jammy | Ignored no fix planned | |
| 20.04 LTS focal | Ignored no fix planned | |
| 18.04 LTS bionic | Ignored no fix planned | |
| 16.04 LTS xenial | Ignored no fix planned | |
| neomutt | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
Notes
john-breton
Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, and CVE-2024-49395.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-49394
- https://bugzilla.redhat.com/show_bug.cgi?id=2325330
- https://access.redhat.com/security/cve/CVE-2024-49394
- https://gitlab.com/muttmua/mutt/-/issues/490#note_2209448655
- http://mutt.org/doc/manual/#crypt-protected-headers-read
- https://github.com/neomutt/neomutt/commit/13cfc6f98322eafdc30ecc4c15999d401950a1d9